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MEMORANDUM TO THE PRESIDENT 



GOVERNMENT USE OF WEB ANALYTICS 




Background 

Web analytics is the study of visitor activity on a website, involving the 
collection and analysis of daia on how users interact with a website. It can 
be used to provide details on web traffic, the path taken by a visitor 
through a website, whether a visitor has ever been to the site before and 
how they came to visit the site (e.g. through a search engine, cookies, or a 
bookmark). Google Analytics is a popular web analytics program and is 
currently being used by many Government of Canada departments. 

In her letter to you dated June 2, 201 1 , the Privacy Commissioner 
expresses concern about the privacy risks inherent in the use of web 
analytics. She is particularly concerned with the retention and transfer of 
Internet Protocol (IP) addresses, which may, in certain circumstances, be 
considered as personal information given that they, in combination with 
other data elements, can lead to the identification of a specific visitor. The 
Privacy Commissioner calls for direction in four areas: (1) collection and 
use of Internet Protocol addresses, (2) retention of these, (3) safeguards 
for their protection, and (4) disclosure. 

The Privacy Commissioner further states that over 40 government 
departments are using Google Analytics, including the Treasury Board 
Secretariat, and that she has not yet received any Privacy Impact 
Assessment (PIA) concerning the deployment of these tools, as is 
required by the Treasury Board Directive on Privacy Impact Assessments. 
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She concludes by urging Treasury Board to develop guidance around the 
use of web analytics, and until such time as guidance is available requests 
that a moratorium be placed on transferring such data to third parties, 
particularly those located outside Canada. 

Treasury Board has no clear guidance on the protection of Internet 
Protocol addresses, but does have guidance in place regarding the use of 
"cookies" on Government of Canada websites which essentially states that 
institutions must undertake to follow eight steps to ensure cookies are only 
implemented when required, that information collected is minimized and 
safeguarded, and that a "cookie-free" navigation option must be provided. 

A Privacy Notice is being drafted for posting on the Treasury Board 
Secretariat and other government websites explaining the use of Google 
Analytics, including the types of cookies used and how they can be 
disabled (i.e. how a visitor can "opt out" of being tracked) which will be 
reviewed by the appropriate Treasury Board policy centre. We are 
currently working with those responsible for Common Look and Feel 
standards and Web Standards to ensure that consistent guidance is 
provided to all government departments. 



Recommendation 

You are requested to sign the letter indicating that Treasury Board 
Secretariat will undertake research and analysis into this issue, 




Michelle d'Auray 




Corinne Charette, Chief Information Officer, Chief Information Officer 
Branch (957-7070) 

Attachment 



President 
of the Treasury Board 




President 

du Conseii du Tresor 



Ottawa, Canada K1A0R5 



Ms. Jennifer Stoddart 
Privacy Commissioner of Canada 
..Offices of the Information and 
Privacy Commissioners 
Place de Ville, Tower B 
112 Kent Street, 3 rd Floor 
Ottawa, Ontario 
K1A1H3 
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Dear Ms. Stoddart: 

Thank you for your letter, dated June 2, 20 1 1 , regarding Government use 
of web analytics. I have noted your comments. 

As you have correctly pointed out, the Secretariat has had guidance in 
place regarding the use of "cookies" on Government of Canada websites since 
2002 which essentially states that institutions must undertake to follow eight steps 
to ensure cookies are only implemented when required, that information collected 
is minimized and safeguarded, and that a "cookie-free" navigation option must be 
provided. 

L 

I 

That said, I agree that the rapidly developing field of internet analytical 
technology also calls for a whole-of-government approach. Only data which is 
germane to the analytical process - and has been adequately and robustly 
anonymized - should be shared with third party service providers. I believe this 
to be a reasonable approach which strikes the balance between understanding how 
the Government of Canada can ensure its websites are most effective, while 
safeguarding personal information of those who visit them. 
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In conclusion, please accept my assurance that my staff will continue to 
work collaboratively with your Office to protect the privacy rights of Canadians 



Again, thank you for writing. 



Yours sincerely, 



The Honourable Tony Clement, P.C., M.P 
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Dear Minister: 

. . _ is accept my sincere congratulations on your appointment as the 
President of trie Treasury Board and Minister for the; Federal ;Ecpriomic Development 
initiative for Northern Ontario. It is in your capaci^ as Presidept of the Treasury 
Board that i am writing to you about a. matter .that has come to my Office's attention 
and that ! believe requires consideration by you as designated Minister responsible 
under the Privacy Act for developing guidance for government institutions and 
agencies. 

The Use of Web Analytics 

My OCrce is aware that a number of government departments and agencies 
have Replayed web analytics to improve their sites. To provide some background 
information, webanaiytics is the study of visitor activity, on a webstte ( which involves 
the collection and analysis of data about how users interact with a site. Weh analytics 
provide a detailed picture of web traffic, including such Information; as, whether a 
visitor has come to a site for the first time and what sequence of pages they view 
when navigating the site, the goal of analytics is" to support formal evaluation, helping: 
website operators to figure out if their site is effective . and how it is being used. 
Analytics results can.be used in many ways, such as reorganizing a site to make it 
easier to find information, or figuring out whether a publicity campaign led to more 
online visitors. 

In order to run analytics, information about website visitors and their activities 
must be collected and used. Some of the data used in analytics includes visitors' IP 
addresses and the date and time of visit, as well as cookies {for tracking) and the 
type of browser being used. The specific analytics practices m use, including the 
types of data collected for analysts, van/ across departments and websites. Cookies, 
for example, are used widely across government sites. Treasury Board issued ju V 
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guidance, last revised in 2002, on cookie use for government sites. 1 This guidance 
allows for cookies to be used, but also recommends that departments determine if 
cookies are necessary, and that visitors should not have to accept cookies in order to 
gain access to government information. In addition, this guidance recommends that 
government websites should facilitate anonymous access, and that the use of 
persistent cookies should be avoided whenever possible. 

The Privacy Implications 

The collection and use of such analytics data raise privacy issues. The piece 
of data most likely to be considered to be personal information is the IP address, 
which could be tied to a specific visitor, particularly in combination with other details 
collected during site visits (e.g., browser type, cookie data). IP addresses are 
collected (and usually stored) every time a visitor comes to a site, irrespective of 
whether or not they are further used in web analytics, making this collection a broader 
issue. This IP information may be stored for long periods of time: there is no 
requirement under the Privacy Act that compels departments to delete the data they 
collect on their web servers. 

Currently there is no formal guidance, such as a Treasury Board directive or 
guidelines, concerning the use of web analytics. In the absence of formal guidance, 
departments have been deciding independently how they can use the data that they 
collect about website visits. One aspect that must be considered is whether analytics 
are performed in-house (within a department), or by a third party. Any department 
managing its own web analytics requires dedicated personnel with specialized skills, 
and the resources to perform ongoing analysis. Given such demands, in many cases 
government web analytics are being outsourced to third parties, sometimes outside of 
Canada. One such third-party service is Google Analytics, which provides an easy-to- 
use tool at no cost. Over 40 government sites have already deployed Google 
Analytics, and this tool has proven very popular. It is likely that its deployment will 

continue to grow. 
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1 Guidelines for Cookies on Government of Canada Web Sites, http://www.tbs-sct.gc.ca/pgol- 
pged/cookies-temoins/cookies-temoinsOO-eng.asp 
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Necessary Guidance 

This growth trend in analytics in government suggests that guidance on any 
privacy considerations is a necessary step to ensure that these tools are deployed in 
a privacy-protective manner. In 2010, my Office held consultations on online 
tracking, profiling and targeting, and cloud computing. Although the focus of the 
consultations was on private sector practices, many of the issues raised during that 
consultation apply to federal government practices. Studies we have seen suggest 
that Canadians are uncomfortable with how their use of web sites is tracked - when 
they are aware of the practices. While the consultations typically centred on tracking 
web usage within the advertising context, it is likely that Canadians may have 
concerns about how government departments and agencies are tracking citizen use 

of government web sites. 

I therefore believe serious consideration needs to be given to the following 

issues: 

1 Collection and Usage: What types of web usage information may be 
collected and analyzed, and for what purposes? What kinds of techniques 
may be used to collect information for analytics (e.g., cookies)? 

2 Retention: How long should site visit information, such as web server logs, be 
stored before being deleted? Could aggregate reports be retained, instead of 

the raw, detailed data? 
3. Safeguards: What measures must be taken to protect web analytics data, if it 

contains personal information? 
4 Disclosure: Should government website data be shared with third parties, 
such as Google, for the purposes of analytics? If so, what (if any) limits should 
be in place (e.g., should the data be kept within Canada)? 

Given that many departments have already deployed third-party analytics and 
that my Office did not receive any Privacy Impact Assessments - indeed we only 
became aware of the current situation when a department approached us for advice - 
I am concerned that very important privacy considerations are not being addressed in 
a comprehensive and consistent manner across government. 
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I would respectfully urge that clear guidance be developed around these 
practices as soon as practicable, and that in the interim, a moratorium be placed on 
transferring such data to third parties, particularly those located outside of Canada, 
until the privacy implications of such practices are fully addressed. As always, my 
Office would be happy to discuss this issue in greater detail with Treasury Board 
officials. 

Thank you for your consideration, 



Yours sincerely, 




Jennifer Stoddart 

Privacy Commissioner of Canada 



c.c: Michelle d'Auray, Secretary of the Treasury Board of Canada 
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